// internal/middleware/rbac.go
package middleware

import (
	"net/http"

	"github.com/gin-gonic/gin"
)

func RBACMiddleware(requiredRole string) gin.HandlerFunc {
	return func(ctx *gin.Context) {
		userRole := ctx.GetString("role")
		
		// 角色权限检查
		roles := map[string]int{
			"user":   1,
			"auditor": 2,
			"admin":  3,
		}
		
		userLevel, userOk := roles[userRole]
		requiredLevel, requiredOk := roles[requiredRole]
		
		if !userOk || !requiredOk || userLevel < requiredLevel {
			ctx.JSON(http.StatusForbidden, gin.H{"error": "权限不足"})
			ctx.Abort()
			return
		}
		
		ctx.Next()
	}
}